[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] TRONS Rules for Bugbear.b



If you are interested in looking for BugBear infection with RealSecure
7.0 or Proventia here are some TRONS rules to detect the mail
transmissions.  Since these are text matches on subjects, legit subject
headers will also be flagged.

alert tcp any any -> any 25 (msg:"BugBearB";content:"25 merchants and
rising";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Announcement";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"bad
news";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"CALL FOR
INFORMATION!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"click on
this!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Correction of
errors";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Cows";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Daily Email
Reminder";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"empty
account";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"fantastic";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"free
shipping!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Get 8 FREE issues -
no risk!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Get a FREE
gift!";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Greets!";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Hello!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Hi!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"history
screen";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"hmm..";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"I need help about
script!!!";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Interesting...";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Introduction";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"its
easy";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Just a
reminder";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Lost &
Found";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Market Update
Report";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Membership
Confirmation";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"My eBay
ads";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"New bonus in your
cash account";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"New
Contests";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"new
reading";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"News";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Payment
notices";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Please
Help...";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Re: $150 FREE
Bonus!";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Report";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"SCAM
alert!!!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Sponsors
needed";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Stats";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Today
Only";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Tools For Your
Online Business";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"update";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"various";sid:1;rev:1;)
alert tcp any any -> any 25
(msg:"BugBearB";content:"Warning!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"wow!";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Your
Gift";sid:1;rev:1;)
alert tcp any any -> any 25 (msg:"BugBearB";content:"Your News
Alert";sid:1;rev:1;)

--------------------------------------------------------------
Chris Rouland
Vice President
X-Force R&D
Internet Security Systems, Inc.
http://xforce.iss.net
crouland@xxxxxxx
 

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo